Web applications are a primary means to breaching a company’s external network. It is a high-value goal for both malicious actors and security professionals to gain this valuable foothold. But how do you get from mere web application vulnerabilities to the compromise of a server? Common testing guidelines provide you a check list of items to test for, but very few show you how to utilize vulnerabilities to achieve testing goals.
Everyone knows that vulnerabilities have different levels of risk; But, what few talk about is the utility provided by vulnerabilities and how they can be used to achieve goals. Although some vulnerabilities are useful to note and impactful to a client, during a time gaped and scoped engagement they may not be able to be fully utilized. However, there are a handful of key direct vulnerabilities that can be leveraged to result in a compromise. These vulnerabilities, along with how to find them and how to leverage them for our needs, will be reviewed during this talk. Additionally, common attack strategies will be reviewed that can help a focus time and energies to maximize efforts in web server compromises.
Senior Security Associate Andrew Wilson is a featured speaker at the OWASP Phoenix Chapter Meeting, presenting If You Like It, Then You Shouldn’t Put a Ring3 on It